This invention relates to the field of electronic financial transaction processing and, more specifically, to a method and means for securing electronic financial transaction processing systems utilizing conventional computer networks for transmission of data from a remote terminal to a host computer system.
The advent of electronic financial transaction processing has precipitated an unprecedented revolution in the manner in which commercial transactions are conducted. Transactions which previously required the physical transfer of currency or commercial paper, such as bank checks, are now executed electronically using computers.
Over the past several years, electronic financial transaction processing has become commonplace. Ordinary consumers may now purchase groceries, gasoline, and airline tickets using an automated teller card or credit card issued to them by their respective banks. In using electronic financial transaction processing to purchase such goods and services, consumers electronically transfer funds from their own bank or credit account to the account of the respective vendor. Hence, electronic financial transaction processing eliminates the consumer's need to carry currency or checks.
Electronic financial transaction processing, as implemented in the context of common consumer use, is generally implemented in one of two ways.
The first most common implementation of electronic financial transaction processing is the automated teller machine, commonly referred to as an ATM. Over the past several years, the use of ATMs has become so widespread that it is virtually an indispensable convenience which banking customers have come to expect as a standard banking service. Generally accessible twenty-four hours a day, ATMs are commonly located at the bank site or in consumer-populated areas such as shopping centers or airports. The banking customer can use the ATM to perform most routine banking transactions such as deposits and withdrawals, account balance updates, credit card payments and so forth.
The second most common implementation of electronic financial transaction processing is the point-of-sale terminal, commonly referred to as a POS terminal. Currently, point-of-sale terminals are most commonly found at gasoline stations and grocery stores. Rather than paying for purchases by check or with cash, consumers use their electronic banking card or credit card to "pay" for their purchase by electronically transferring funds from their own account to the vendor's account. Accordingly, consumers may shop and travel without the requirement that they carry a large amount of cash in order to make purchases.
Electronic financial transaction processing, however, has created a wide variety of security problems unique to the art. While electronic financial transaction processing is highly desirable due to the the elimination of the requirement of carrying cash to make purchases and is an efficient way to accomplish transactions without substantial human intervention, security concerns are of paramount importance as the potential for abuse is considerable. Unauthorized persons, commonly referred to in the trade as "adversaries," could gain access to the electronic financial transaction processing system and conduct a wide variety of damaging fraudulent transactions. Hence, as the vault is critical to the protection of currency and commercial paper, an effective means of securing the electronic financial transaction processing system is likewise essential to the electronic financial transaction processing art.
In most existing electronic financial transaction processing systems, the bank or other cardissuing institution issues the customer a card which has been magnetically encoded with the user's account number. The bank likewise issues or permits the customer to select a personal identification number (PIN), known only to the customer, to be used in authorizing the customer's access to the electronic financial transaction processing system at the time of a given transaction. Normally, the PIN is memorized by the customer. The PIN and card enable customer access to the system and, when properly used by the individual, provide the desired access to the system.
When a customer desires to perform an electronic transaction in such a prior art system, he will enter his PIN at the ATM or POS terminal by the customer prior to proceeding with the transaction. This ATM or POS terminal also will read the card of the individual keying in the PIN. An identity verification is then typically accomplished by a comparison of the PIN or other number derived from the PIN and the customer's account number with the records of the issuing institution. Accordingly, the PIN, which is the basis for the verification process, must usually be transmitted from the ATM or POS terminal to a remote processing station for processing.
Although the above-described card and PIN system provides some protection, this system alone is not sufficiently secure to confidently maintain the integrity of the electronic financial transaction processing system.
The system is vulnerable, if, for example, the PIN itself is transmitted in an unencrypted state to a remote processing station. An adversary monitoring the transmission lines or other channel of communication could intercept the PIN and, using this information, be able to gain unauthorized access to the customer's accounts. Hence, it is not desirable to transmit the PIN from the ATM or POS terminal to the remote processing station.
Consequently, in many existing systems the PIN is transmitted from the ATM or POS terminal in encrypted form. In such a system, the PIN is encrypted using a number, known as a "key," to produce an encrypted PIN. Theoretically, the PIN, when it is transmitted to the remote processing station, is secure because it has been encrypted using a key known only to the card-issuing institution. However, if an adversary ascertains the key, the system is no longer secure as the PIN may be determined if the encryption process can be reversed.
Unlawful acquisition of the key is a particular problem in the POS terminal environment. In the POS terminal environment, the key is typically resident within the terminal itself so as to enable on-site encryption prior to transmission. Because the POS terminal units are generally portable, there is a substantial risk that the terminal might be stolen, disassembled and the key ascertained. In such a scenario, the system once again becomes vulnerable because an adversary could use the key to decrypt other transmitted encrypted PINs.
The transmission of identification and transaction authorization data is usually accomplished utilizing a computer network. The ATM or POS terminal is generally a terminal in a larger data processing network wherein the transmitted PIN may be decrypted and re-encrypted several times before reaching the remote process station.
In this network system, the remote processing station is electronically isolated from the POS terminal. Because the PIN is re-encrypted at various points along the network, the remote processing station, which may be located at the card issuing institution, may have no knowledge as to the PIN encryption key resident within the ATM or POS terminal. The encrypted PIN, as it is received at various points along the network, is re-encrypted using a PIN encryption key unique to that point of transmission.
The existing system, most particularly as applied in the POS terminal environment, remains substantially vulnerable to unauthorized access by adversaries. Because the PIN, albeit encrypted under a number of different PIN encryption keys, itself is transmitted along the network, the PIN remains in constant danger of being captured by an adversary. As the encrypted PIN is decrypted and re-encrypted under several PIN encryption keys as it is transmitted through the network, the adversary consequently has several opportunities to capture the PIN at various points throughout the network. Moreover, the adversary need only ascertain one of these PIN encryption keys in order to capture the transmitted PIN.
Because the security of the PIN encryption keys becomes as important as the security of the PIN itself, key management is a paramount concern. Management of these PIN encryption keys in a complex network can be a very formidable and, in some instances, troublesome task. Accordingly, card-issuing institutions prefer isolating themselves from the network system from a key management perspective.
Consequently, there is a great need in the art of electronic financial transaction processing for a user authorization system, particularly in the POS terminal environment, which minimizes the risk that the PIN will be captured as data is transmitted along a network.